Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Odd packets

Published: 2009-05-01
Last Updated: 2011-02-21 19:39:50 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

No.           Time             Source                 Destination         Protocol Info
107496   10.768466   10.10.10.10        12.12.12.12         UDP Source port: 43152  Destination port: http

Frame 107496 (118 bytes on wire, 118 bytes captured)
Ethernet II, Src: Cisco (MACSRC), Dst: Cisco (MACDST)
Internet Protocol, Src: my-net (10.10.10.10), Dst: apnic (12.12.12.12)
User Datagram Protocol, Src Port: 43152 (43152), Dst Port: http (80)
Data (76 bytes)
 
0030  01 00 8f f9 08 00 61 62 63 64 65 66 67 68 69 6a   ......abcdefghij
0040  6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 61 62 63   klmnopqrstuvwabc
0050  64 65 66 67 68 69 00 00 00 00 00 00 00 00 00 00   defghi..........
0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0070  00 00 00 00 00 00   

A few things to note, these are UDP packets from a high src port to port 80. They are coming from an 'our' network and going to a system in APNIC. There are a significant number of them.

Any ideas? Let us know.     

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.                

Keywords: packets
0 comment(s)

Adobe Flash Media Server privilege escalation security bulletin

Published: 2009-05-01
Last Updated: 2011-01-24 23:46:11 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

From their web site: A potential vulnerability has been identified in Flash Media Server 3.5.1 and earlier that could allow an attacker to execute remote procedures in Flash Media Interactive Server or Flash Media Streaming Server. Adobe recommends users update to the most current version of Flash Media Server (3.5.2 or 3.0.4 or greater)

Updates available to address Flash Media Server privilege escalation issue

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Keywords: adobe flash
0 comment(s)

OpenBSD 4.5

Published: 2009-05-01
Last Updated: 2011-01-24 23:45:50 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

OpenBSD 4.5 has been released. There are a few security and reliability fixes, including OpenSSH 5.2.

www.openbsd.org/45.html

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Keywords: OpenBSD
0 comment(s)

Incident Management

Published: 2009-05-01
Last Updated: 2011-01-24 23:45:30 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Continuing on the discussion started here regarding Incident Response and Incident Handling, let's now introduce Incident Management. One of the issues we face in IT security is that we do not always use a common set of definitions or terminologies, so I find explaining what I mean is helpful when I say Incident Management, which may be different from what others understand. Looking at a couple of industry definitions we can see that they differ somewhat, but have common themes.

From ITIL: The objective of Incident Management is to restore normal operations as quickly as possible with the least possible impact on either the business or the user, at a cost-effective price.

From SEI: An incident management capability is instantiated in a set of services considered essential to protecting, defending, and sustaining an organization’s computing environment, in addition to conducting appropriate response actions.

From ISO/IEC 27002: Information security incident management - anticipating and responding appropriately to information security breaches.

From US-CERT: An incident management capability is the ability to provide management of computer security events and incidents. It implies end-to-end management for controlling or directing how security events and incidents should be handled. This involves defining a process to follow with supporting policies and procedures in place, assigning roles and responsibilities, having appropriate equipment, infrastructure, tools, and supporting materials ready, and having qualified staff identified and trained to perform the work in a consistent, high-quality, and repeatable way.

The definitions I work from are as follows:

Incident Response is all of the technical components required in order to identify, analyze, and contain an incident.

Incident Handling is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner.

One definition is more related to tactical, the other operational. Response focuses on the immediate needs of incident at hand; Handling on the broader capabilities of an organization to prepare for an incident.

Incident Management is the framework and set of functions required to enable Incident Response and Incident Handling within an organization.

Information Security Incident Management (IM) is not composed of a single process, but rather includes a number of operational and technical components which provide the necessary functions in order to support the traditional “Preparation, Identification, Contain, Eradication, Recovery, Lessons Learned” incident process model, including longer term monitoring, strategic planning, and trend analysis.

I helped develop an Incident Management Maturity Model (IM-MM) which included the following domains:

  • Threat Environment Monitoring
  • Security Incident Monitoring
  • Vulnerability Management
  • Configuration Management
  • Log Management
  • Forensics:
  • Incident Handling
  • Co-ordination/Centralization
  • Knowledge Management

People, policy, processes, and technology in each of these domains are required to varying degrees for an organizational Incident Management capability to function correctly. Each can also be evaluated for an assessment of the organization's overall capability to resolve incidents. 

Cheers,
Adrien de Beaupré, yes I do hold the GCIH certification, analyst #69. And yes, I have worked in Incident Response, Incident Handling, and Incident Management for quite some time. 

Adrien de Beaupré
Intru-shun.ca Inc.

The IM-MM has been released under a Creative Commons license, but not published as of yet, working on it now. Disclaimer, I am not an employee of SANS nor GIAC, and do not represent them. My opinions are my own and not my employer's nor anyone else's. And yes, I am Canadian eh!

0 comment(s)

Password != secure

Published: 2009-05-01
Last Updated: 2011-01-24 23:44:54 UTC
by Adrien de Beaupre (Version: 1)
1 comment(s)

Reading a story on how an attacker broke into the administrative interface to twitter was the following quote: "One of the admins has a yahoo account, i've reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password." Social engineering and good guessing trumps security every time. Twitter have confirmed the intrusion, so sad but true. No hacking necessary. I could probably rant for hours on the subject, but most of you know the story. Enough said.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Keywords: twitter hack
1 comment(s)
Diary Archives